New details have emerged about the attack on Marriott last year, following a testimony by the Group’s CEO Arne Sorenson.
Marriott first revealed it had suffered a massive data breach affecting the records of up to 500 million customers on 30 November last year. Information accessed included payment information, names, mailing addresses, phone numbers, email addresses and passport numbers.
Marriott had first learned of the breach on September 8 when it was contacted by the IT company managing its Starwood guest reservation database, Sorenson told the Senate Committee on Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations last week. One of Accenture’s products, IBM Guardium, had detected an anomaly on the Starwood guest reservation database on September 7.
According to Sorenson’s latest statement, 383 million guest records and 18.5 million encrypted passport numbers were breached. Details included 9.1 million encrypted payment card numbers and 385,000 valid card numbers in addition to 5.25 million unencrypted passport numbers. He denied that China was to blame for the hack.
The Guardium alert was triggered by a query from an administrator’s account to return the count of rows from a table in the database, according to Sorenson. This query stood out because it indicated a human operator was interfering with the database.
On September 10, Marriott called on third-party investigators to look into whether it had been breached. Soon afterwards, malware on the Starwood IT systems was found: A Remote Access Trojan (RAT), which allows hackers to covertly access, surveil and gain control over a computer.
However, at this point, the firm didn’t find any evidence that customer data had been breached. The investigation continued and in October, a penetration tool called Mimikatz was discovered by the third-party investigators. This raised suspicions because the tool is also used by hackers to search a device memory for usernames and passwords and could have been used by attackers to move from Starwood to other parts of the network. Yet surprisingly, there was still no evidence that customer data had been accessed.
It was in November that Marriott realized hackers had been in the system since July 2014. And later that month, the firm found that customer data had indeed been breached. Sorenson descried how, on November 13, investigators discovered evidence that two compressed, encrypted files had been deleted from a device.
After six days, investigators managed to decrypt the files. Their contents: a table detailing passport information and another from the Starwood Guest Reservation Database containing guest data.
For more details, a recording of Sorenson’s testimony is available.
“Suffering a large-scale data breach can be devastating for a company, but once it’s occurred it becomes a case of how quickly you can repair the damage,” says Jake Moore, cyber security expert at ESET. “One side is finding out how it occurred and patching it while learning and adapting rapidly, but the long game involves managing customers’ expectations and making sure the share price doesn’t dip too far.”
According to Moore, the key to rebuilding confidence is to be “upfront, open and honest” from the start: “This builds trust in a company.”
Marriott took a long time to reveal this breach: Despite the fact it was found in September, disclosure did not occur until nearly three months later. It also failed to protect valuable customer information and the firm is already the subject of class action lawsuits that could cost it hugely.